RE: Auditing / Logging

From: Steve Armstrong (steve_at_logicallysecure.org)
Date: 01/19/04

  • Next message: Eric McCarty: "RE: knowing their job (was: Re: Ethical Hacking Training"
    To: "'Rob Shein'" <shoten@starpower.net>
    Date: Mon, 19 Jan 2004 22:49:39 -0000
    
    

    Rob

    Having used Keykatcher, I must advise you that it has one (excuse the
    pun) key limitation - it only replays the keystrokes.

    By this I mean it re-enters the keystrokes to an output computer and
    thus the use of curser keys will move live the curser round the screen.
    This results in an output that is not always replayable, understandable
    and certainly rarely usable as evidence as to in what order commands
    were issued. In my experience to glean any useful information, the
    output must be watched in case critical output is overwritten/overtyped
    by the roving curser.

    Hope this helps.

    Steve A
     
    This email was scanned upon despatch by Norton AntiVirus.

    -----Original Message-----
    From: Rob Shein [mailto:shoten@starpower.net]
    Sent: 17 January 2004 01:01
    To: 'Don Parker'; 'R. DuFresne'
    Cc: 'n30'; security-basics@securityfocus.com; pen-test@securityfocus.com
    Subject: RE: Auditing / Logging

    If you want the function of a keylogger without having to worry about
    software/OS compatibility, simply use a Key Katcher (www.keykatcher.com)
    between your keyboard and computer. Just be sure to sed out any
    password/login combinations to your own stuff that you use. Oh, one
    thing; I don't think it'll work on Sun hardware.

    > -----Original Message-----
    > From: Don Parker [mailto:dparker@rigelksecurity.com]
    > Sent: Monday, January 12, 2004 6:18 PM
    > To: R. DuFresne; Don Parker
    > Cc: n30; security-basics@securityfocus.com; pen-test@securityfocus.com
    > Subject: Re: Auditing / Logging
    >
    >
    >
    > Well, you raise a valid point as to the commands not being logged.
    > Again I would prefer simplicity, so just install a keylogger.
    > There is no need to overcomplicate things. Though a keylogger
    > will not work
    > on most *nix systems to my knowledge. Though all of this should be
    > negotiated with the client prior to the pen test being done ie: what
    > kinds of logs will be retained and the such. This is one thing which
    > should be spelt out clearly prior to any pen test actually
    > taking place.
    >
    > Cheers
    >
    > -------------------------------------------
    > Don Parker, GCIA
    > Intrusion Detection Specialist
    > Rigel Kent Security & Advisory Services Inc
    > www.rigelksecurity.com ph :613.249.8340 fax:613.249.8319
    > --------------------------------------------
    >
    > On Jan 12, "R. DuFresne" <dufresne@sysinfo.com> wrote:
    >
    > On Mon, 12 Jan 2004, Don Parker wrote:
    >
    > > The simplest solution would be to simply log all activity using
    > > tcpdump in binary
    > > format. This decreases the file size, is faster, and allows
    > you to manipulate it after.
    > > You can also input this binary log into any protocol
    > analyzer afterwards as well ie:
    > > ethereal, etherpeek nx and the such.
    > >
    > > Doing the above also gives you and your client a copy of
    > exactly what
    > > it is you have
    > > done during your pen test should there be any questions/complaints.
    >
    >
    > Which s great on the data being obtained, yyet fails to
    > retain the nature of the exact command that retrieved the
    > data, so make sure one either tee's allcommands to a file
    > <date stamps can help here> or one runs script or something.
    > This helps if one has data results that are similiar and they
    > need to know which command applies to which data, as well as
    > make it possible to dupe scenarios.
    >
    > Thanks,
    >
    > Ron DuFresne
    > --
    > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    > admin & senior security consultant: sysinfo.com
    > <a
    > href='http://sysinfo.com'>http://sysinfo.com>
    >
    > "Cutting the space budget really restores my faith in
    > humanity. It eliminates dreams, goals, and ideals and lets
    > us get straight to the business of hate, debauchery, and
    > self-annihilation."
    > -- Johnny Hart
    >
    > testing, only testing, and damn good at it too!
    >
    >
    > --------------------------------------------------------------
    > -------------
    > Ethical Hacking at InfoSec Institute. Mention this ad and get
    > $720 off any
    > course! All of our class sizes are guaranteed to be 10
    > students or less.
    > We provide Ethical Hacking, Advanced Ethical Hacking,
    > Intrusion Prevention,
    > and many other technical hands on courses.
    > Visit us at <a
    > href='
    http://www.infosecinstitute.com/securityfocus'>http://ww
    > w.infosecinstitute.com/secur
    > ityfocus</a> to get $720 off
    > any course!
    > --------------------------------------------------------------
    > --------------
    >
    >
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > --------------
    >
    >

    ------------------------------------------------------------------------

    ---
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
    any 
    course! All of our class sizes are guaranteed to be 10 students or less.
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
    Prevention, 
    and many other technical hands on courses. 
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720
    off 
    any course!  
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Eric McCarty: "RE: knowing their job (was: Re: Ethical Hacking Training"

    Relevant Pages

    • RE: Auditing / Logging
      ... pun) key limitation - it only replays the keystrokes. ... you raise a valid point as to the commands not being logged. ... > We provide Ethical Hacking, Advanced Ethical Hacking, ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
      (Security-Basics)
    • RE: Auditing / Logging
      ... but the question was one of keylogging; as a keylogger it is the most ... > usable as evidence as to in what order commands were issued. ... >> We provide Ethical Hacking, Advanced Ethical Hacking, ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
      (Security-Basics)
    • SV: XP backdoors
      ... actual keystrokes. ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion ... and many other technical hands on courses. ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
      (Security-Basics)
    • Re: Auditing / Logging
      ... you raise a valid point as to the commands not being logged. ... > Again I would prefer simplicity, so just install a keylogger. ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
      (Security-Basics)